Tuesday, January 27, 2009

Apathy at Monster Data Breach

Nothing new about data breaches of course. A recent report from the Identity Theft Resource Center lists 656 incidents for 2008. But the large majority of incidents are at places that you've probably never heard of (Spicy Pickle at Portage anyone?). Monster of course is a different story. Most people have probably been on their site at some point or another looking for a job. Monster-sized data breaches (cringeworthy pun intended) usually only occur a few times a month.

Which makes it all the more surprising that this breach has received almost no media attention. Googling the terms Monster, data and breach brought up just a handful of relevant results.

This is surprising for two reasons - (1) Monster already suffered a massive and highly publicized data breach in the summer of 2007 and they waited for 5 days before notifying, and (2) Monster admits that user selected passwords were compromised. There seem to be only two possible explanations for the lack of media interest - Monster has chosen not to notify customers, and they have not released details of the breach.

There has been a lot of discussion about whether data breach notification laws work (see my earlier post on this topic). The Monster incident underscores an obvious fact - incidents that do not involve notification letters receive less media attention. This makes sense of course; when you send out a notification letter to 50,000 people, chances are one of them is a reporter.

Without knowing the details of the Monster breach, it is impossible to judge whether notification was required. Data breach notification laws (currently in place in 44 states) have differing requirements but generally require notification if (1) some PII (Personally Identifiable Information) was compromised and (2) there is some chance that this information will be misused. Since Monster has users in all 50 states, it is presumably subject to the strictest of all these state laws. It would seem impossible for Monster to rule out item (2), so presumably Monster has been advised that according to all state laws user passwords alone are not considered PII.

It's very interesting that user passwords to Monster-type sites are not considered PII. For one thing, a Monster account itself can give access to PII. A resume usually has an address and phone number on it. Even if the compromised accounts were de-activated, a Monster username and password combination would probably in many cases also work on the corresponding hotmail or gmail account. This might no longer be Monster's direct problem, but you would think this would have made the breach bigger news in the media.

If you read the notification on Monster's website, the basic message is that stuff happens and that users should take preventative measures. I am not sure how this will resonate with users, but my guess is that Monster's users are not a particulary security sensitive group when it comes to this site. After all, whether you are an employer or a job seeker you are joining Monster so that people can reach you. The underlying expectation of privacy is low because of the inherently externally facing nature of the site.

Two final thoughts on the notification that Monster posted on its website. Initially, there was no justification given on the website for not notifying customers. In the last few days that was updated to say that this was done so as not to give phishers a template for phishing emails. I am not a lawyer, so I don't know whether the law allows companies to make these kind of judgment calls on whether to notify. But data breach notification laws differ significantly from state to state, and I find it hard to believe that this wiggle room exists in all 44 breach notification laws.

Another interesting point is the way that Monster defends its own data security practices. Monster claims to "devote significant resources" to security measures. This is a refreshing approach that I have advocated previously on this blog; your actual security commitment can and should be measured in dollars and cents.

However it is disappointing that Monster has chosen not to disclose any details about their security "to maintain the integrity of these security and monitoring systems". There is nothing confidential about a company's general security narrative, and one reason to maintain such a narrative is precisely for situations like these. The web notification is posted from Patrick Manzo, Monster's Chief Privacy Officer. I don't know whether Monster has a CISO, but this would be a good time to bring him or her out of the woodwork. Breaches can happen to any organization, even ones that have their house in order. The important thing is to have a solid story when something does happen.